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ON THE COMPUTATION OF RATIONAL POINTS OF A 
HYPERSURFACE OVER A FINITE FIELD 

GUILLERMO MATERA 1 - 2 , MARIANA PEREZ 1 , AND MELINA PRIVITELLI 3 


Abstract. We design and analyze an algorithm for computing rational points 
of hypersurfaces defined over a finite field based on searches on “vertical strips”, 
namely searches on parallel lines in a given direction. Our results show that, 
on average, less than two searches suffice to obtain a rational point. We also 
analyze the probability distribution of outputs, using the notion of Shannon 
entropy, and prove that the algorithm is somewhat close to any “ideal” equidis- 
tributed algorithm. 


1. Introduction 

Let F g be the finite field of q elements, Xi, ... ,X r indeterminates over F 9 and 
F g [Ai,..., X r ] the ring of polynomials in X±, ..., X r with coefficients in F g . Let 
T r ,,i := {F £ F g [Ai,... ,X r \ : deg(F) < d}. Suppose that r > 2 and d > 2, and 
let F be an element of In this paper we address the problem of finding an 

F g -rational zero of F, namely a point x £ F r with F(x) = 0. 

It is well-known that the elements of T r .d have q r ~ 1 zeros in F ? r on average. 
More precisely, we have the following result (see, e.g., [TUI Theorem 6.16]): 

(1-1) ^-r E N(F) = q r -\ 

| r,d\ Fe j: rd 

where N(F) := \{x £ F ? r : F(x) = 0}|. This suggests a strategy to find an F g - 
rational zero of a given F £ F r ,d- Since the expected number of zeros of F is equal 
to the cardinality of Fg” -1 , given ai £ Fg” -1 , one may try to find a zero of F having 
ai as its first r — 1 coordinates. If the polynomial F(ai,X r ) has no zeros in F 9 , 
then a further element 02 £ Fg , ’“ 1 can be picked up to see whether F(a 2 ,X r ) has a 
zero in F g . The algorithm proceeds in this way until a zero of F in Fg 1 ’ is obtained. 

Following the terminology of [15] . which considers the case r = 2, each set 
{Oi} XFg is called a “vertical strip”. Therefore, our algorithm, which extends the 
one of m to r-variate polynomials, is called “Search on Vertical Strips” (SVS for 
short), and is described as follows. 

Algorithm SVS. 

Input: a polynomial F £ T r% d- 

Output: either a zero x £ FJ’ of F, or “failure”. 

Set i := 1 and / := 1 

While 1 < i < q r ~ 1 and / = 1 do 

Choose at random a.; £ Fg” -1 \ {ai,..., aj_ 1 } 

Compute / := gcd(F(aj, X r ), Xj? — X r ) 

If / = 0, then choose x r? i £ F g at random 
If / ^ {0,1}, then compute a root x r ^ £ F 9 of / 
i:=i + 1 
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End While 

If / 7 ^ 1 return ( a,i,x r else return “failure”. 

Ignoring the cost of random generation of elements of F g r_1 , at the ith step of the 
main loop we compute the vector of coefficients of the polynomial F(a,i,X r ). Since 
an element of T r .d has D := ( d+r ) coefficients, the number of arithmetic operations 
in F g required to compute such a vector is 0~(D), where the notation 0~ ignores 
logarithmic factors. Throughout this paper, all asymptotic estimates are valid for 
fixed d and r, and q growing to infinity. Then the gcd / is computed, and a root 
of / in F g is determined, provided that f ^ 1. This can be done with 0~ (d log 2 q) 
arithmetic operations in F g (see, e.g., [141 Corollary 14.16]). As a consequence, for 
a choice a := («i,..., a q r-i) for the vertical strips to be considered, the whole 
procedure requires 0~ (C a(F) ■ (D + dlog 2 q)) arithmetic operations in F q , where 
Ca_{F) is the least value of i for which F(a,i,X r ) has a zero in F 9 . 

This paper is devoted to analyze the SVS algorithm from a probabilistic point 
of view. As its behavior is essentially determined by the number of vertical strips 
which must be considered, we analyze, for a given s > 1 , the probability distribution 
of the number of searches performed by the algorithm. For this purpose, we consider 
the set F of all possible choices of vertical strips and the random variable C r ,d ■ 
F x F r ,d K > N which counts the number of vertical strips that are searched. We 
prove that the probability that s vertical strips are searched, for “moderate” values 
of s, satisfies the estimate 

(1.2) P[C r ,d = S] = (1 - /X d ) S -Vd + 0(<T 1/2 ), 

where Hd := £^ =1 (— 1) J ’ — 1 /j!. Observe that /x^ « 1 — e -1 = 0.6321... for large d, 
where e denotes the basis of the natural logarithm. We remark that the quantity 
/id arises also in connection with a classical combinatorial notion over finite fields, 
that of the value set of univariate polynomials (cf. Jill, [233). For a polynomial 
/ € F 9 [T], denote by V(/) := |{/(c) : c € F g }| the cardinality of the value set of 
/. In gj, Birch and Swinnerton Dyer established the following classical result: if 
/ € F 9 [T] is a generic polynomial of degree d, then V(/) = /id q + 0(1). 

The estimate relies on the analysis of the behavior of the SVS algorithm 
for a fixed choice ai,...,a s e FJ ’ _1 for the first s vertical strips. It turns out 
that the probability that the s vertical strips under consideration are searched 
is essentially that of the right-hand side of m- As a side note, this may be 
considered as a “realistic” version of the SVS algorithm in the sense of [T] . As 
the author states, “when a randomized algorithm is implemented, one always uses 
a sequence whose later values come from earlier ones in a deterministic fashion. 
This invalidates the assumption of independence and might cause one to regard 
results about probabilistic algorithms with suspicion.” Our results show that the 
probabilistic behavior of the SVS algorithm is not essentially altered when a fixed 
choice of vertical strips is considered. 

As a consequence of d we obtain an upper bound on the average-case com¬ 
plexity E[X] of the SVS algorithm, where X : F x F r ,d —► N is the random variable 
that counts the number of arithmetic operations in F g performed for a given choice 
of vertical strips on a given input. We prove that 

(1.3) E[X] < —r(d, r, q) + 0(q~ 1/2 ), 

A *d 

where r(d, r, q) := 0~(D + d\og 2 q) is the cost of a search in a single vertical strip. 
In other words, on average at most 1 /fid ~ 1-58 vertical strips must be searched 
to obtain a rational zero of the polynomial under consideration. Simulations we 
run suggest that the upper bound m is close to optimal. We observe that the 
probabilistic algorithms of [15] (for r = 2) and 0 and [20] (for general r) propose 
d searches in order to achieve a probability of success greater than 1/2. Our result 
suggests that these analyses are somewhat pessimistic. 
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On the other hand, it must be said that the result of m holds for any bivariate 
polynomial, while that of | 5 j is valid for any absolutely irreducible r-variate poly¬ 
nomial. If the polynomials under consideration are produced by some complicated 
process, it might be argued that our results do not contribute to the analysis of the 
cost of the corresponding algorithm to search for F g -rational zeros. Nevertheless, 
a crucial aspect of our approach is that we express the probability P[CV,d = s] of 
C2D, and thus the average-case complexity E[X] of (11.311 . in terms of the average 
cardinality of the value set of certain families of univariate polynomials related to 
the set of input polynomials under consideration. We believe that this technique 
can be extended to deal with (linear or nonlinear) families of polynomials of F r ,d, 
provided that the asymptotic behavior of the average cardinality of the correspond¬ 
ing families of univariate polynomials is known (see 0 , [ 21 ] and [221 for results in 
connection with this matter). 

Another critical aspect to analyze is the distribution of outputs. Given F £ F r ,d, 
the SVS algorithm outputs an F g -rational zero of F, which is determined by certain 
random choices made during its execution. As a consequence, it is relevant to have 
insight on the probability distribution of outputs. For an “ideal” algorithm (from 
the point of view of distribution of outputs), outputs should be equidistributed. 
For this reason, in [15] the basic SVS strategy for bivariate polynomials over F g is 
modified so that all F g -rational zeros of the input polynomial are equally probable 
outputs. Such a modification can be also be applied to our algorithm. 

Nevertheless, as this modification implies a certain slowdown, we shall pursue a 
different course of action, analyzing the average distribution of outputs by means of 
the concept of Shannon entropy. If the output for an input polynomial F tends to 
be concentrated on a few F g -rational zeros of F, then the “amount of information” 
that we obtain might be said to be “small”. On the other hand, if all the F g - rational 
zeros of F are equally probable outputs, then the amount of information provided 
by the algorithm is considered to be larger. Following [3] (see also 0 ), we define a 
Shannon entropy Hp associated to an input F £ F r ,d of the SVS algorithm, which 
measures how “concentrated” are the corresponding outputs. Then we analyze the 
average entropy H when F runs through all the elements of F r ^- 

For an “ideal” algorithm for computing F g -rational zeros of elements of F r> d and 
F £ F r ^d, it is easy to see that Hp eal = logV(F), where log denotes the natural 
logarithm. It follows that 

ff ideal < log^”- 1 ) 

(see (15.3[l l. Our main result concerning the distribution of outputs asserts that 

(1.4) H ^-Llogtcf-'Xl + Otg- 1 )). 

2 Hd 

Since 1/2 fid ~ 0.79 for large d, we may paraphrase (11.41) as saying that the SVS 
algorithm is at least 79 per cent as good as any “ideal” algorithm, from the point 
of view of the distribution of the outputs. 

The proof of (11.41) relies on an analysis of the expected number of vertical strips of 
the elements of T r ,i which may be of independent interested. Denote by NS(r , d) 
the average number of vertical strips with F g -rational zeros of F, when F runs 
through all the elements of F r .d- We prove that 

(1.5) NS(r,d)=v d q r ~ 1 +0(q r - 2 ). 

We also estimate the variance of the number of vertical strips with F g -rational zeros. 

The paper is organized as follows. Section [2] is devoted to the analyses of the 
probability that one or two vertical strips are searched. In Section [3] we estimate 
the expected number of vertical strips to be searched for a given choice of s > 3 
vertical strips. We express the probability that s vertical strips are searched in 
terms of average cardinalities of value sets and apply estimates for the latter in 
order to establish an explicit estimate of the former. In Section [4] we apply the 
results of Sections [ 2 ] and [3] to establish (O and (USD- Section [5] is concerned 
with the probability distribution of outputs. In Subsection 15.11 we establish (11.51) 
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and an estimate of the corresponding variance. In Subsection 15.21 we apply these 
estimates to prove JO- Finally, in Section [G] we exhibit a few simulations aimed 
at confirming the asymptotic results JO and JO- 


2. Probability of success in the first two searches 


We start discussing how frequently one or two searches on vertical strips suffice 
to find a zero of the input polynomial. As it will become evident, this will happen 
in most cases. Therefore, accurate estimates on the probability of these two cases 
is critical for an accurate description of the behavior of the algorithm. 


2.1. Probability of success in the first search. For integers r > 2 and d > 2, 

we shall estimate the probability that the SVS algorithm, on input an element of 
F rt d := {F £ F g [Xi,..., X r \ : deg (F) < d}, finds a root of it in the first vertical 
strip. As r and d are fixed, we shall drop the indices r and d from the notations. 

Each possible choice for the first vertical strip is determined by an element of 
IF!J' 1 . As a consequence, we may represent the situation by means of the random 
variable C\ := C± tr ,d '■ F p_1 x T r ,d —> {1, oo} defined in the following way: 

„ . . | 1 if F(a, X r ) has an F g -rational zero, 

1 a ’ ’ | oo otherwise. 

We consider the set F p_1 x F r ,d endowed with the uniform probability Pi := Pi, r ,d 
and study the probability of the set {C\ = 1}. The next result provides an exact 
formula for this probability. 


Theorem 2.1. For q > d, we have the identity 

Pi[Ci = 1 ] = E(-i + (- l ) d ( <z ~ d 1 )<T d_1 - 

Proof. For any F £ F r ,d, we denote by VS(F) the set of vertical strips where F 
has an F 9 -rational zero and by NS(F) its cardinality, that is, 

VS{F) := {a £ F^" 1 : (3x r £ F 9 ) F{a,x r ) = 0}, NS{F) := |P5(F)|. 

It is easy to see that {C\ = 1} = |J FeJr VS(F) x {E}. Since this is a union of 
disjoint subsets of F 9 r_1 x F r ,d, it follows that 

<21) p ' |c ‘ = 1 ] = y43 S NS{F} - 

Fix F £ T r .d- Observe that 

VS(F)= \J{a£W q r ~ 1 :F(a,x) = 0}. 

x£F q 

As a consequence, by the inclusion-exclusion principle we obtain 


NS(F) = 


U {a *)=()} 


= E(- 1 ) J_1 E K a e ^ r_1 : (V* € Xj)F{a,x) = 0}|, 

j=l AjCF, 

where Xj runs through all the subsets of F g of cardinality j. We conclude that 

E NS(F)= 'ti-V- 1 E llaeF;- 1 :(yx£X j )F(a,x) = 0} 

F&Fr.d. FGF r ,dj= 1 Xj CF, 


For any j with 1 < j < q, we denote 

1 


Uj '' q r ~ 1 \F r ,d\ 


E E K aeF 9 r 1 : (Vx G X j )F{a 1 x) = 0}| 


Fe.J r r , d X j C f . 
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where Xj runs through all the subsets of F g of cardinality j. If j < d and a is fixed, 
then the equalities F(a,x) = 0 (x G Xj) are j linearly-independent conditions on 
the coefficients of F in the F 9 -vector space F r ,d- It follows that 


( 2 . 2 ) 


3 <f :1 |^>,d| 


1 


E E \{F G F r ,d : (Vs G Xj) F(a, x) = 0}| 


, 1 — 1+dim T r 


q 


Xj CF g ciEFS 1 


■E E 

Xj CF, aEFj' 


q 


Rim Tr,d-3 — I 


= j. 


On the other hand, if j > d, then F(a,x) = 0 for every x G Xj if and only if 
F(a, X r ) = 0. The condition F(a, X r ) = 0 is expressed by means of d + 1 linearly- 
independent linear equations on the coefficients of F in T rA j. We conclude that 


(2.3) Nj = — 


1 


3 qr— 1+dim 


E E 


dimj 7 r ,d —(d+1) _ ( q\ —d —1 


XjCMj a(z.¥q 1 

Combining (El and El we obtain 


Pi[Ci = i] = E(-i) J_1 ^ = E(-i v 

3 =1 3 =1 




i=d+l 


Finally, since 


(2.4) 


Enr 1 U)=E(- 1 ) , '(-)=(- 1 ) 


j=d+l 


3=0 


q -i 
d 


(see, e.g., [T?; (5.16)]), we readily deduce the statement of the theorem. □ 


Next we discuss the asymptotic behavior of the probability Pi[C\ = 1]. Fix 
d > 2. From Theorem ED it can be seen that 

Pi[Ci = l]=n d + 0{q- 1 ), Md:=^EllE. 

j =1 

To show this, given positive integers k, j with k < j, we shall denote by [j£] the 
unsigned Stirling number of the first kind, namely the number of permutations of 
j elements with k disjoint cycles. The following properties of the Stirling numbers 
are well-known (see, e.g., ns §a.8]) : 


y 

j. 


= i, 



E 


fc =0 


y 

k 


= j ] - 


We shall also use the following well known identity (see, e.g., m (6-13)]): 


(2.5) 


= E 


-1 \3~k 


(-D 


k—0 


j! 


According to Theorem 12.11 and (|2.5j) , we have 


^ J ( i \j—k 

A[Ci = 1] = ^(-l)'- 1 +— 


3=1 


= E 

j=i 


-1 V'-l 


(- 1 ) 


y 


k -0 

y 

.j. 


+ (-l) d 




v (-d j 

A\ 


3 ^ ( 1 1 


EE 

j —1 fc—o 


(-ir 


3=1 

3 

k 


3- 


j - 1. 


+ (-y d 
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It follows that 

A[tt = i] = tu + l-£k$V 


As a consequence, for d > 2 we obtain 

d 


d j—2 

-EE 


J —1 /c —0 


(~i) A 

j! 




\Pi[Ci = l]-ii d \<^ 


E 

i=i 


(- 1 V /O’ 


r- 


3 -2 


yy- 

' 7 ! k a 
j=i fc=o J L J y 


1 


1 fq — 1 

d 


1 d 1 

< ■;-1- n + 7T- 


4 g 


2 g 


For d = 2, this inequality is obtained by a direct calculation. We have therefore 
the following result. 


Corollary 2.2. For q > d, 

I-Pi [Ci = 1] — fj,d\ < -• 

q 

As d tends to infinity, the number Pi[Ci = 1 ] tends to 1 — e -1 = 0.6321..., 
where e denotes the basis of the natural logarithm. This explains the numerical 
results in the first row of the tables of the simulations of Section [ 6 ] 

It is worth remarking that the quantity P\ [C\ = 1] is closely connected with the 
probability that a univariate polynomial of degree at most d has F g -rational roots. 
More precisely, consider the set py of univariate polynomials of degree at most d 
with coefficients in F g , endowed with the uniform probability pi,d, and the random 
variable Ay : T\ —>■ Z>o which counts the number of F 9 -rational zeros, namely 

AM/) := l{* € F, : f(x) = 0}|. 

The random variable N% d has been implicitly studied in the literature (see, e.g., 
m § 2 ] or ns Theorem 3]). It can be proved that, for q > d, 

PiA N hd > 0] =Pi[C 1 =1], 


2.2. Probability of success in the second search. Next we analyze the prob¬ 
ability that the SVS algorithm performs exactly two searches. 

Each possible choice for the first two vertical strips is determined by an element 
a := ( 01 , 02 ) € Fy 1 x Fy 1 with Oi ^ a 2 . Therefore, we denote by F 2 the set of 
all such possible choices and by -/V 2 its cardinality, that is, 

F 2 := {a := (a 1; a 2 ) € Fy 1 x Fy 1 : ai ^ a 2 }, N 2 = |F 2 | = q r ~ 1 (q r ~ 1 - 1). 
We shall study the random variable C 2 := C 2 , r ,d '■ F 2 x T r ,d —» {1,2, 00 } defined as 
( 1 if Ni t d(F(ai,X r )) > 0, 

C 2 {a,F) := l 2 if iV M (P(oi, X r )) = 0 and N hd (F(a 2 , X r )) > 0, 

{ 00 otherwise. 

We consider the set F 2 x jy endowed with the uniform probability P 2 := P 2 , r ,d- 
We aim to determine the probability P 2 [C 2 = 2]. 

This probability will be expressed in terms of probabilities concerning the random 
variables Ca '■= Ca,r,d ■ P/d —> { 1 , 2 , 00 } which count the number of searches that 
are performed on the vertical strips defined by a := (ai,a 2 ) £ F 2 until an F 9 - 
rational zero is obtained, Ca(F) = 00 meaning that F does not have F ? -rational 
zeros on these two vertical strips. For this purpose, the set jy is considered to 
be endowed with the uniform probability p r ,d- The relation between these random 
variables and P 2 [C 2 = 2] is expressed in the following lemma. 


P 2 [C 2 =2] = |E Pr,l[Ca = 2]. 

2 aGF 2 


Lemma 2.3. We have 
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Proof. Observe that 

{C 2 = 2} = |J {a} x {F £ T r ,i : C*fF) = 2}. 

aG F2 

Since this is union of disjoint sets, we conclude that 

p r r _ 01 _ 1 'sp \{ p e ^r.d : Ca(F) = 2}| 1 \p _ 0 , 

F2,02 - WX\ - pm[c ‘ ~ 21 ' 

aG F2 aGF 2 

which proves the lemma. 

Next we estimate the probability p r< d[C a = 2] for a given a £ F 2 . 


□ 


Proposition 2 . 4 . For q > d and a := (01,02) £ F 2 , we have 

3 

= 2 ] /^d)| E ~ • 

Proof. Observe that 


{C„ = 2} = {F £ P, rf : JV M (F(o 2 ,T)) > 0} \ {F £ F r , d : 7V ljd (F(a 1 , T)) > 0}. 

The number of elements of Fr.d having F 9 -rational zeros in the vertical strip defined 
by a 2 is determined in Theorem 12.II Therefore, it remains to find the number N a ^ 2 
of elements of T r ,d having F 9 -rational zeros both in the vertical strips defined by 
a .1 and a 2 . We have 


N n , = 


U U {F £ F r , d : F( ai ,x) = F(a 2 ,y) = 0} 

zellj y&i 


Given sets X C F g and ^ C F„ we denote 

Sa(X, y) := {F £ F r ,d : F(ai,x) = F(a 2 ,y) = 0 for all x £ X and y £ (V}- 
Then the inclusion-exclusion principle implies 

(2-6) n ^ 2 = EE(- 1 ) J+fc E E 

j=lk=l XjCM, 34CF 5 

where the sum runs over all subsets Xj C F g and 34 C F 9 of j and k elements 
respectively. 


Claim. 


iVa, 2 

\Fr,d\ 


(P1IC1 = l ]) 2 + = (-Pi [Ci = l ]) 2 + 0 {q - 1 ). 


Proof of Claim. For 1 < j,k < q, let 

Mj,k~ E E \Sa{X 3i y k )\. 

Aicf, 34 cf, 

We determine A/p according to whether one of the following four cases occurs. 

First suppose that j, k < d. As ai ^ a 2l the equalities F(a\,x) = 0, F(a 2 ,y) = 0 
for all x £ Xj and y £ 34 impose j + k linearly-independent conditions on the 
coefficients of F £ F r ,d- Therefore, \SgfXj, 34)| = q dlm:F r,d-j-k^ w j 1 i c j 1 implies 




E E 


^dim J-r.d—j — k 


XjC% 34 






The second case is determined by the conditions j > d and k < d. If j > d and 
Xj C F g is a subset of cardinality j, then the condition F(a\,x) = 0 is satisfied 
for every x £ Xj if and only if F(ai,X r ) = 0. We may express the latter by 
d + 1 linearly-independent linear equations on the coefficients of F £ F r ,d- On 
the other hand, the equalities F(a 2 ,y) = 0 for all y £ 34 impose k additional 
linearly-independent conditions on the coefficients of F. We conclude that 


Mj,k = E q dim -F-,d-(d+ 1 )-fc 
Xj,y k cf. 


0 ) 9 dim ' Fr ’ d_ *' d+1 ) _fe 
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The third case, namely j < d and k > d, is completely analogous to the second 
one. Finally, when j > d and k > d , the conditions under consideration imply 
F(a±,X r ) = F(a 2 ,X r ) = 0. We readily deduce that 


N'j.k — 




From the expression for Afj.k of the four cases under consideration we infer that 


N a 


q q 


\Xr,d\ \Fr,d\fri£ri 


EE(-i 


it±(-i) j + k ( q )( q X- j - k + 2± i (-1 


,= lfc=1 WVfc 
+ £ E(-i) j+fc C 

j=d+l k=d-\-1 


d q 

L £ 

j =1 k=d-\-1 


\k 




By (12.411 and elementary calculations we obtain 



This and Theorem 12.11 readily imply the claim. □ 


Combining the previous claim and Theorem 12.11 we deduce that 
Pr,d[Ca = 2] = Pi [Cl = 1] - 

Wr,d\ 

= (l-P,[C 1 = l])P 1 [C 1 = l]-^[ ? - 1 ) 2 . 

Let g : R —> R, g(x) := (1 — x)x. The Mean Value theorem shows that there exists 
£ € ( 0 , 1 ) such that 

(1 - P 1 [C 1 = l])Pi[C 1 = 1] - (1 - p d )p d = g\i) (Pip! = 1] - p d ). 

As the function x i-A g'(x) maps the real interval [0,1] to [— 1 ,1], we conclude that 
|g / (£)l 5= 1- Therefore, from Corollary 12.21 it follows that 

|(1 - Pi[C! = l])Pi[C ' 1 = 1] - (1 - n d )p d \ < |Pi [C\ = 1 ] - fid\ < 

On the other hand, it is easy to see that ( 9 ^ 1 ) 2 — V?- This immediately 
implies the statement of the proposition. □ 


Proposition 12.41 is the critical step in the analysis of the behavior of the proba¬ 
bility P 2 \C 2 = 2 ], which is estimated in the next result. 

Theorem 2.5. For any q > d, 

\P 2 \C 2 = 2] — (1 — p d )p d \ < —• 

Proof. By Lemma T2.31 and Proposition 12.41 we obtain 

\P 2 [C2 = 2] - (1 - p d )p d \ < Y] I PrA C a = 2] - (1 - Pd)Pd\ < -. 

N 2 a ^ 2 q 


This finishes the proof of the theorem. 


□ 
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We finish the section with a remark concerning the spaces considered so far to 
discuss the probability that the SVS algorithm performs at most two searches on 
vertical strips. For the analysis of the probability of one search we have considered 
Fi := F g r_1 and the random variable C\ : Fi x T r> d —> {l,oo}, while in the analysis 
of the probability of two searches we have considered the random variable C 2 : 
F 2 x T r .d —> {1, 2 , 00 }. To link both analyses, in Lemma Pi. 1 1 below we prove that 

P 2 [C 2 = 1] = Pi [Ci = 1 ], 

which shows the consistency of the probability spaces underlying Theorems 12. II and 
12.51 In Section [4] we shall show that the analysis of the probability that s vertical 
strips are searched can be done in a unified framework for any s > 1 . 


3. The number of searches for given vertical strips 


As can be inferred from Section [2j a critical step in the probabilistic analysis 
of SVS algorithm is the determination of the probability of s searches, for a given 
choice of s vertical strips. The cases s = 1 and s = 2 were discussed in Section [2] 
In this section we carry out the analysis of the general case. 

Fix 3 < s < min{('^Y 1 ) > 9 r_1 } and ai,..., a s € IF^ -1 with a,; ^ aj for i ^ j. 
Denote a := (ai,... ,a 3 ). Assuming that a is the choice for the first s vertical 
strips to be considered, we analyze the probability that the SVS algorithm finds an 
F g -rational zero of the polynomial under consideration in the sth search. 

For this purpose, we consider the set T r ,d endowed with the uniform probability 
Pr t d and the random variable Ca '■= Ca. r ,d '■ F r ,d —t {1, 2 ,..., s, 00} which counts the 
number of searches for a given input on the vertical strips determined by a ±,..., a s , 
Ca_{F) = 00 meaning that F has no F g -rational zeros on these vertical strips. 

We start with the following elementary result. 


Lemma 3.1. Let V and W be ¥ q -linear spaces of finite dimension and $ : V —> W 
any ¥ q -linear mapping. Consider V and W endowed with the uniform probabilities 
Py and Pw respectively. Then for any Ac W we have 


Pv( < f>” 1 (A)) 


| A n Im(d>)| 

|Im($)| 


Pw(A n Im($)) 
Pw(Im($)) 


=: Pim$(A). 


Proof. We have 

^ E = j^l Ker ( $ )l l^nim($)|. 

By the Dimension theorem and the equality |S| = g dlmS ; valid for any F g -vector 
space S, we see that |V| = |Ker($)| |Im($)|. Then 

_L|d>-iMll = l AnIm ( $ )l = Pw(Anlm($)) 

|V|' 1 j| |Im($)| Pw(Im($)) ■ 

This finishes the proof of the lemma. □ 


For simplicity of notations, we replace the variable X r by a new indeterminate 
T and consider the F g -linear mapping $ := : JF r ^ H> P* d defined as 


(3.1) 


<&(F) := (P(a 1 ,T),...,P(a s ,T)). 


Since Im(<I>) is an F 9 -linear space, by Lemma T3.II it follows that 


(3.2) 


Pr,d [C'a^ — s] — 


I ({AT = 0} s_1 x {N > 0}) n Im(<I>) | 
|Im($)| 


where N := denotes the random variable which counts the number of zeros in 
F g of the elements of F\.d- As a consequence, we need to estimate the quantity 

R s ■- | ({AT = 0} 8 - 1 x {N > 0}) n Im(d>) |. 


In the next section we obtain a characterization of the image of that will allow us 
to express R s in terms of the average cardinality of the value set of certain families 
of univariate polynomials. This is the critical step to estimate the quantity R s . 
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As we explain below, there exists a unique positive integer k s < d such that 

f k s + r - 2\ /«* + r - 1\ 

l r-1 )<'*{ r-1 )■ 


In the sequel we shall assume that the points <Zi,. .., a s under consideration satisfy 
the condition we now state. For 1 < j < k s , let Dj := and denote by 

% := {t^i,... C (Z > 0 ) r_1 the set of (r - l)-tuples u) k := { u > k , i , ■ ■ ■ , u > k , r - 1) 

with |wfc| := u)k,i d-+ ujk,r -1 < j ■ Let a" fc := a^J' 1 • • • for 1 < i < s and 

1 < k < Dj. Then we require that the multivariate Vandermonde matrix 


(3.3) 


M r .= 


( < 

V a " 1 


G F: 


isxO. 


has maximal rank minl-D.,, s} for 1 < j < n s . 

We briefly argue that this is a mild requirement which is likely to be satisfied 
by any “reasonable” choice of the elements a±,...,a s G F ? r_1 . Let Ai,...,A s 
be (r — l)-tuples of indeterminates over F g , that is, A,; := (A it i, ..., A ijr _i) for 
1 < * < s, and denote by Vj the following minjUj-js} x minl.Djjs} Vandermonde 
matrix with entries in F 9 [Ai, ..., A s \: 



\ in X 


,s} 


\ 


^min {D,,«} 

min {Dj,s} J 


Assume that the numbering of flj := {cji, ... jWdJ C (Z> 0 ) r 1 is made according 
to degrees, i.e., \u k \ < \^i\ whenever k < l. In particular, = (0, ...,0). By 
ns Theorem 1.5] it follows that detF, is absolutely irreducible, namely it is a 
nonzero irreducible element of F g [Ai,..., A 3 ], for 1 < j < k s . Let dj denote the 
degree of det Vj. We have the bound dj < jDj. Then [HI Theorem 5.2] proves that 
the number A fj of (r — l)-tuples ai, ..., a s G F ” -1 annihilating det Vj satisfies the 
estimate 

(3.4) |Nj - < fa - 1 )(6j - 2 + 56/ g s(r-1)-2 . 

Any choice of ai,..., a s avoiding these A fj = 0(g s ( r- L -1 ) tuples for 1 < j < n s 
will satisfy our requirements. Furthermore, many “bad” choices a\,... ,a 8 anni¬ 
hilating the polynomial det Vj for a given j will also work, as other minors of the 
Vandermonde matrix Mj of (13.31) may be nonsingular. In particular, for s < r and 
ai,...,a s affinely independent, our requirement is satisfied. 

Summarizing, denote V s := n™=i det Vj G F ? [Ai, ..., A s ] and let 

(3.5) B s := {a := (ai,..., a s ) G F/ (r-1) : V s (a) = 0}. 

Then |B S | = 0(q s< ' r ~ 1 ^~ 1 ) and all the results of this section are valid for any a G 

f/(”- 1 )\ Bs . 


3.1. A characterization of the image of <1». In order to characterize the image 
Im(4>), we shall express each element of T r> d by its coordinates in the standard 
monomial basis B of J>.d, considering the monomial order we now define. Denote 
by Bi the set of monomials of F 9 [Ab,..., A r _i] of degree at most i for 0 < i < d , 
with the standard lexicographical order defined by setting X\ < Xi < • • • < V r _ i. 
The basis B is considered with the order B = {A^, X^~ x B i,..., X r Bd-i, Bd}, where 
each set Xf~ l Bi is ordered following the order induced by the one of £>,. In other 
words, any F G can be uniquely expressed as 

d 

F = Y,Fi{X 1 ,...,X r - 1 )X;, 

i =0 
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where each F t has degree at most d — i for 0 < i < d. Then the vector of coefficients 
(F)g of F in the basis B is given by (F)g = ((Fd)e 0 ,..., (Fo)g d ). On the other 
hand, we shall express the elements of F* d in the basis B' := {T d ,..., T, 1} S . 

Let 

We also set D_i := 0. Observe that the sequence is strictly increasing. 

Therefore, for each i with 1 < i < s there exists a unique Ki £ N such that 


(3.6) D Ki _i < i < D Ki . 

The following remarks can be easily established. 

Remark 3.2. 

• Ki < j if and only if i < Dj. 

• K\ = 0, k s < d. 

The matrix M$ £ pH d + 1 )xD ^ reS p ec t to the b ase s defined above can 
be written as the following block matrix: 

/ Mr 

M$ = • 

V 

where M } ; £ p i j d + 1 ) xD j s the diagonal block matrix 


/ 


V 


'i;,o 




\ 


Mij ■■= « ■■ 1*1 < j) e F ? 


il xDi 


M i>d ) 

Our first result concerns the dimension of Im(<!>). 

Lemma 3.3. For s < minjU^, q r ~ 1 }, we have 

dimlm($) = ( s 'j + s(d — k s + 1) = + 1 — Ki). 

x ' i —i 

Proof. Let h := (hi ,..., h s ) be an element of Im(<l>). Then there exists F £ F r 
with h = $(F). Denote by (F)g = ((Fd)e 0 ,..., (Fo)g d ) the coordinates of F in 
the basis B. Then the block structure of the matrix M$ implies 


(3.7) 

As a ^ B s , we have 

/ Mi,, 

rank 

V Mai 

As a consequence, 



,h<r' '■ 


= min{Z)j, s} = 


Dj for 0 < j < k s — 1, 
s for k s < j < d. 


dim Im(<I>) = Dj + s(d — k s + 1 ) = 


7=0 


k s - 1 + r 
r 


T s(d — k s T1). 
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This proves the first assertion of the lemma. To prove the second assertion, we have 

s Ka min{£)j,s} 

^(d+l-Ki) = ^ Y ( d + l -j) 

2=1 j = 0 i = Dj -i + l 

K s — 1 

= 'Y {d + 1 — 3){Pj — Dj_ i) + (d + 1 — k s )(s — D Ks - i). 

J=0 

Since — ^j- 1) = -Dfc, we conclude that 

S K s — 1 

+ 1 — K i) = ~ 'Y. j(Dj — Dj- 1) + (d + 1 — k s )s + h s D K s - 

i=l j=0 

Taking into account the identity Y^f=o 3 ^ + r’) = (-^ + we obtain 

y^(d + 1 - Kj) = -(r - 1) + r ^ + (d + 1 - k s )s + k s D Ks _i. 

A simple calculation finishes the proof of the lemma. □ 


Next we determine a suitable parameterization of Im(d>). To this end, let <f>* : 
Im($) —> fl^ dlm Im( A) be the F g -linear mapping defined by 

$*(h) := h*, 

where h := (hi ,..., h B ), hi := (hd,i ,..., /toy) £ F ? d+1 for 1 < * < s and 

(3.8) h* X), h * ~(h d - Kiti ,...,h 0 ,i) (1 < * < s). 

Lemma DPI shows that <f>* is well-defined. 


Lemma 3.4. 4>* is an isomorphism. 


Proof. Since 4>* is a linear mapping between F g -vector spaces of the same dimension, 
it suffices to show that $* is injective. Fix h := <f>(F) £ Im(4>) with h* = 0. From 

(15771) we deduce that 


f Mid \ 


^ hd—j, 1 \ 


II 

8Q 

•e-» 

1 

g 

\ hd-j,s / 


Fix j with 0 < j < k s — 1. Then the element hd~jj is included in the definition 
of h* if and only if i < Dj (see Remark |3.2D . As h* = 0 by hypothesis, it follows 
that hd-j,i = 0 for 1 < * < Dj and we have the identity 


/ \ 


M 


D i d 


M 


Dj+lj 




(Fd-j)Bj = 


( o \ 


0 

hd—j.Dj +1 
V hd—j,s ) 


Since the upper (Dj x Dj )-submatrix of the matrix in the left- hand side is invertible, 
we conclude that (Fd-j)Bj = 0. This implies hd-j,D j + 1 = ••• = hd-j,s = 0. On 
the other hand, for j > k s the element hd-j^ is included in the definition of h* for 
1 < i < s and therefore hd-j t i = 0 for 1 < i < s. This shows that h = 0. □ 


Denote by U/ := (ipi,... ,ip s ) : ]F 9 dlmIm ( $ ) Im($) the inverse mapping of $*. 
We need further information concerning the mappings 'ifi. 
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Lemma 3.5. Let be given h* := (hd- Ki ,i, . ■ ■ , £ F ? d+1 Ki for 1 < i < s. Let 

h* := (h *,..., h *) € and ^ := Denote 

hi := := /i d)i T d + • • • + /i d+1 _ Ki ,i T d+1 “ Ki + /i d _ Ki ,i T d ~ Ki + ■■■ + h 0}l . 

Then hd,i, ■ ■ ■, hd+i- Ki ,i are uniquely determined by h\,... ,h*_ l . 

Proof. Fix k with 0 < k < Ki — 1. Write h := <1>(.F). In the proof of Lemma fTTTTTI we 
prove that 


/ M lifc \ 


( hd-k, 1 \ 

V M D k ,k ) 

( F d -k)l3 k = 

\ h d -k,D k J 


where the (Dk x I3fc)-matrix in the left-hand side is invertible. The element hd~k,i 
is included in the definition of hf if and only if l < Dk- Furthermore, we have 
k < Ki — 1 < Ki- 1. We conclude that the vector in the right-hand side is uniquely 
determined by h*,..., h*_ 1 , and thus so is ( Fd-k)i 3 k ■ Therefore, the identity 


/ M ljfc \ 


( hd-k,i \ 

V M life ) 

(F d -k)B k = 

\ hd—k,i J 


shows that the element hd-k,i is uniquely determined by h \,..., h*_ 1 . □ 

We end this section with the following remark. 

Remark 3.6. For each h := (hi,... ,h s ) £ Im(<F), we have hd,i = ... = /i djS . 
Indeed, from EH we deduce that 


( Mi,o \ 




f hd, i \ 

V M Si o ) 

( F d)Bo = 

(,) 

(Fd)l3o = 

^ hd,s / 


This implies hd ,i = ... = /i d)S = (Fd)B 0 ■ In particular, the coefficient /i dj i of the 
monomial T d in the polynomial hi uniquely determines the coefficient hdj of the 
monomial T d in hj for 2 < j < s. □ 

3.2. The probability of s searches in terms of cardinalities of value sets. 

For a := (ai,..., a s ) € ¥ q s F~ 1 ') \ B s as before, we need to estimate the quantity 

R s ■- | ({N = O} 8 " 1 x {N > 0}) n Im(d>) |. 

According to Lemma l3.dl each element h € Im($) can be uniquely expressed in 
the form h = U ’(h*), where h* is defined as in (13.81) . Hence, 

(3.10) R s = E , l{IV=0} s - 1 x{Ar>0} ('I -(h*)), 

h*e\ d imIm (*) 

where 1 {at=o} s - 1 x{at>o} : d —> {0,1} denotes the characteristic function of the 
set {N = 0} s_1 x {IV > 0}. By Lemma [3.51 the coordinate ipi(h*) depends only 
on h* := (h *,..., h*) for 1 < i < s. We shall therefore write ipi(h*) as ipi(h*) for 
1 < i < s, with a slight abuse of notation. 

First, we rewrite the expression (13.101) for R s in a suitable form for our purposes. 

Lemma 3.7. Let h := (JA=o hj,iT ^,..., J2j=o hj.sT^) be an arbitrary element of 

Im(<f>) and let h* := d>*(h) := (h \,..., h*) £ F g dlmIm ^) be defined as in (13.81) . For 
s < min{£) d , the following identity holds: 

Rs = E E E !{iv>o}(^ s (^))- 

^ sf / +1 K_ 1 e % d+1 ~ Ks - 1 K^ d+1 ~ Ka 

N(ipi(hl))=0 
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Proof. We may rewrite (13.1011 in the following way: 

Rs = E ••• E l{Af=0} s - 1 x{Af>0}('I / (^*))- 

h*ef q d+1 h*E F/ +1 “' ta 

As a consequence of the remarks before the statement of Lemma 13.71 it follows that 

s-l 

l{AT=0} s - 1 x{Af>0} {^{h*)) = ]^[ 1{AT=0} (V’i(^*)) • l{Af>0} (V’s(ft*)) 

i=l 

s-l 

= n 1 {JV=0} (^(ft*)) ■ 1 {N>0} (MK))- 
2=1 

Then the previous expression for R s can be rewritten as follows: 

Rs = E 1 {JV=0}(V , l(ft*)) E E 1 fiy>0>(V , s(^s))) 

^£F/ +1 h* a e% d+1 -“° 

which readily implies the lemma. □ 

For 1 < * < s-l, fix h* e ¥ q d+1 ~ K \ For each ft* := (h d - KatS ,..., ft 0 ,s) € F d+1 - K °, 
denote by fh * the polynomial 

fh* '■= ipsih-ii ■ ■ ■ yhl) := hd, s T d +- "Phd+i~K, B:S T d+1 + h d -K, B:S T d K ' s +• • - + /io lS . 
According to Lemma I3T71 we are interested in estimating the sum 
(3-11) E !{ N>o}(fh*). 

h , eF d+l-s B 

For ft* := {h d - Ka , s , ..., fto,s) e F g d+1_K % denote ft* := {h d - Ka>s ,..., fti, s ) € F d ~ K ‘ 
and /£, := X)j=i ftj.s?^ = fh* e - fh* B ( 0). We observe that 

X! 1 {JV>o}(//i;) = E E 1 {JV>o}(/fc;) = E V (/h;) 

‘ s h*e ^o, 3 eF 9 


?i;eF g £ 

(3.12) 


1 


E V (E*)> 


/ij eF, 


where V(f) := |{/(c) : c € F g }| is the cardinality of the value set of / € F 9 [T]. 
Lemma 1331 proves that h djS ,... ,h d + i- Ka , s are uniquely determined by h*_! := 
(ft*,..., ft*_i). Thus, the sum in the right- hand side of (13.121) takes as argument the 
cardinality of the value set of all the elements of F\ td having its first n s coefficients 
(h d ,a, • • ■, ftd+i- Ks , s ) prescribed. Set i) := (ft d)S ,..., ft d+ i_ KsiS ) and denote 

(3.13) VdM ^ {K _ l)):= —^ Y, V(/ fc: ). 

Now we express the probability that Ca = s in terms of V d {K s ,ipg X (h* s _ i)). 
Lemma 3.8. For s < minjUd, <? r,_1 }, tfte following identity holds: 

1 Vd(Ks,^*(K_ r)) 


Pr,d[^a — ■§] — 


E 


E 


E (d+l-rep 

g, = l /lJeF g d+1 

JV (V'i(^i))=0 JV(^> a _i(h*_ 1 ))=0 




<7 


Proof. By Lemma 13.31 we know that dimlm(<f>) = (d + 1 — nf). Combining 

this with (13.21) and Lemma 13.71 we obtain 

Pr.d. [CA = s] = 

1 w- ^ 1 


E 


E 


s-l 

T. (d+1 — «,-) 

q *= 1 

JV W’iOI))=0 AT(i/> s -i(fi*_ 1 ))=0 


d-\-l — K s 


E i{iv>o}(^(^:)). 




Then (13.121) and (13.131) complete the proof of the lemma. 


□ 















COMPUTATION OF RATIONAL POINTS ON HYPERSURFACES 


15 


If s < min{D ( /_ 2 , q r_1 }, then, as we explain in the next section, for any h*_ l 
such that fh* a is of degree d , the average cardinality in 113.1311 has the asymptotic 
behavior Vd(K s , ■0® x (li*_ 1 )) = p d q + 0(q l / 2 ). Combining this with Lemma GTS] we 
shall be led to consider “inner” sums in the expression for p r , d [C a — s], which shall 
be expressed in terms of the average cardinality of the value sets of the families 
of polynomials we now introduce. For 1 < i < s — 1 and 1 < j < i — 1, fix 
h* := (h d - Kj j,...,h 0 j) e Wq +1 ~ Ki . For each h* := {h d - Ki ,i, ■ ■ ■, h 0 ,i) € F g d+1 ~ Ki , 
denote 


fh * i/’iih*, ■. ■ ,h*) h d} iT d + ■ ■ ■+ h d +i- Ki jT d+1 +h d - Ki ,iT d K ‘+ • • • + 

Lemma T3 .5 1 proves that the coefficients h d: i ,..., h d - Ki . |_i,i are uniquely determined 
by h*_ x := ( h \,..., Consequently, we set Vf x (^*-i) := {h dii ,..., h d+ 

and consider the average cardinality 


(3.14) 


VaM^ihUi)) ■■= 


1 


7 d+l —Ki 


E v ^k)- 




Our next result expresses the probability of s searches in terms of the quantities 

V d («i,$*(/»:_!)) (1 <*<«)■ 

Theorem 3.9. For s < min {Dd 1 q r ~ 1 } f we have 

— 1 s 

Pr,d[Ca = S\ = (1 - PdY~ 1 Pd - -1" E r, 

q i=0 


where |7o| < 1 /g, 


7;:=(i-^r—Vd—r 


q- 1 


E • E 






X) (d+l — ... .... 

gJ =i 

ild,l=l 


/or 1 < i < s — 1 , and 
9-1 


r s := 


E • E 


13 ( d +! — ... JIT 

9 <= i 3-1 

iV(V> i(/»I))=0 N(il} s —i(h*_ 1 ))=0 

hd, 1 = 1 




Md . 


Proof. Denote (7 := Ca- We split the expression for p r ,d[C = s] of Lemma [3781 into 
two sums, depending on whether h d .\ = 0 or not. More precisely, we write 


where 


Pr,d[ C = s, F d = 0] = — 


Pr,d[C = s] = Pr.dfC' = S, F d = 0] +p r ,d[C' = S,F d ^ 0], 

V d {n s ,^{h* s _ i)) 


1 


E • E 


X3 (d+l — 

9 4 =i ftleF/+ 1 + -i 

A(^i(ii*))=0 JV(V> s -i(fc-;_ 1 ))=0 

^d,i =0 


Pr,d[C = S, F d ^ 0] = 


1 


E -■ E 


Vd( Ks ,^ x ^:_i)) 


(d+i— k~) 

qi =i hZ&g+ 1 

iVW>i(h!))=0 JV(V.»_i(fc-_ 1 ))=0 

hd,1^0 


q~ 1 


E ••• E 


VdK.V’f^:-!)) 


X) ( d +l — K i) jit jit 

9 i=1 /deF/ +1 5,;_ 1 gf 9 + S “ 1 

iv(v,i(hl))=o 

iid,i=i 


q 
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In the first term we consider the intersection of the F g linear space Im($) with the 
linear subspace d _ v As the former is not contained in the latter, the dimension 
of the intersection drops at least by one, and Lemma 13.11 implies 


% ■— Pr.d \T 


s, F d = 0] < 


|Im($)| 


< 


^dimlm(<l>) —1 
^dim Im(<£) 


l 

q 


On the other hand, it is easy to see that the expression for p r , d [C = s,F d T 0] ma Y 
be rewritten in the following way: 

PrA [C = s,F d ^ 0]=/z d s _? -1 V ■■■ V 1 + T S , 

q i= i K £< +1 

^V(bi(^l))=0 N (ijjs—i — ! )) = o 

hd, 1 = 1 


where T s is defined as in the statement of the theorem. 

Now we claim that, for 1 < j < s, 

p r ,d[C = s i F <i T 0] = {l-Pd) s ~ j p-d, —r- E E !+y ^Tj, 

q £ i (d+1 - K * ) h , eW d+ 1 h -_ 1&K d+1 - K i - 1 <=i 

JV(-0i(^n)=° JVfe-i(h*_i))=0 

^d,l = l 


where 71 is defined as in the statement of the theorem. The claim for j = 1 is the 
assertion of the theorem. 

We argue by downward induction on j from s to 1, the case j = s being already 
proved. For j < s, suppose that the claim for j + 1 is already established. We have 


1 


r.d + 1—K.j 


E 


1 = 1- 


i 


vd+l— K,j 


h*e¥q 3 

N (^( h *))=0 


E 

N»j(hV)> 0 


1 = 1 - 


Vd( Kj ,^(h*)) 


Replacing this identity in the expression for p r , d [C = s,F d ^ 0] corresponding to 
the claim for j + 1 we readily deduce the claim for j, finishing thus the proof of the 
theorem. □ 


3.3. The probability of Ca = s. Theorem 13.91 shows that the probability that 
the SVS algorithm stops after s < D d attempts can be expressed in terms of the 
average cardinality Vd(«i, f/’f x (^i-i)) of the value set of certain families of univariate 
polynomials for 1 < i < s. Each of these families consists of all the polynomials 

j -1 d 

A := E a d-*T d - 1 + Y b d - l T d ~ i 

2—0 i=j 

with b := ( b d -j ,..., b 0 ) € ¥ d+1 ~^, for a given 1 < j < d and a := ( a d ,..., a d -j) € 
Ft -1 with a d ^ 0 (due to Remark l3fol) . We are interested in the average 

E V (&)■ 

b GF/ +1_3 ‘ 


Suppose that q > d. In [5], the following estimate is obtained for 1 < j < d/2 — 1: 

-“ 1 {d-2fe 2Vd 7 

q' 


(3.15) 


\Vd(j, a) - foj q\ < — + 


2 d ~2 


On the other hand, in m it is proved that, if the characteristic p of F g is greater 
than 2 and 1 < j < d — 3, then 


(3.16) | V d (j, a ) -p d q\< d 2 2 d ~ 1 q * + 133 d d+5 e 2Vd ~ d . 


Estimates (13.1511 and (13.1611 are the key point to determine the asymptotic be¬ 
havior of the right-hand side of the expression for p r , d [Ca = s] of Theorem 13.91 
More precisely, we have the following result. 
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Theorem 3.10. Let be given a := (a ±,..., a s ) E F g s ( r ^ \ B s; where the set B s is 
defined in (13.51) . For s < min {, 5 r_1 }, we have 

\pr,d[ c a = s] - (1 - p d ) S ~ Vd| < ^e _1 + d ^d -1 -+■ ^ 9 _1 + 14g -2 . 

On the other hand, if p > 2 and s < min {( + ^~ 3 ), q r_1 }, then 


\p r ,d[Ca = s] - (1 - p d ) s 1 Pd\<d 2 2 d q 2 + (266 d d+h e 2y/d d + l )q 1 . 

Proof. Suppose that s < min {( d / 2 //^ -1 ), g r_1 }. Then n s < d/2, and thus 1 < 
Hi — 1 < d/2 — 1 for 1 < i < s. With notations as in Subsection 13.21 fix 
1 < i < s and h* := (hd- Kjt j, ■ ■ ■ > hoy) G F g d+1_Kj for 1 < j < i — 1. Denote 
h*_ t := (hi,..., /!*_!), set iff x (h*_ i) := (h d>i , ■■■, h d+1 - Kiti ) and consider the av¬ 
erage cardinality V d (ni, t^f x (^*-i)) as in (13.131) or (13.141) . By (13.151) we conclude 
that, for any h *_ 1 with deg fh* = d, 


V d (Ki,^(hU)) 


Pd 


< 


D -1 


(d- 2) 5 e 2Vd \ 


2 d-2 


7 q 


-2 


Further, defining 7i as in the statement of Theorem 13.91 for 1 < i < s, we obtain 


\Ti\<(i-p d y 


Pd 


3" 1 (d-2fe 2Vd 


2 d-2 


q~ l + 7q~ 2 


(1 < i < S - 1 ), 


,-l 


|T S |< (— + 


(d-2fe 2Vd \ 


2 d ~2 


7 q 


-2 


Therefore, the first assertion of the theorem follows from Theorem 13.91 

On the other hand, for s < min {( uT 3 ), 5 r-1 } we have n s < d — 2, and hence 
Ki — 1 < d — 3 for 1 < i < s. Therefore, if p > 2, then (13.161) shows that 

V d (Ki,^(hU)) 


Pd 


< d 2 2 d ~ l q-^ + 133 d d+5 e 2 ^~ d q~ 1 . 


It follows that 

\Ti\ < (1 — Pay-^Pdid 2 2 d ~ 1 q-$ + 133 d d+ 5 e 2 ^-V 1 ) (1 < * < * - 1), 

\T S \ < d 2 2 d - 1 g-a + 133 d^+'V^-V 1 . 


This readily implies the second assertion of the theorem. 


□ 


We remark that the approach of the proof of Theorem 13.101 cannot be applied 
to estimate the probability that s > s* := ( d ^ff 3 ) vertical strips are searched, 
since the behavior of the mapping $ := >Fa : F rd —> F/ d of (13.11) may change 
significantly in this case. In what concerns “large” values of s, from Theorem 13. 101 
one easily deduces the following result. 

Corollary 3.11. With notations as in Theorem \3.10l for s* := min {( 2 1 ), q r 1 } 

we have 

Pr,d[Ca > s*] = (1 - Pd ) s * + Oiq^ 1 ). 

On the other hand, if p > 2 and s* := min then 

Pr,d(Ca > S*} = (1 - p d ) S * + C(g- 1/2 ). 

As \1 — p d \ < 1/2, from the expression of s* in both cases it follows that the 
main term of this probability decreases exponentially with r and d. 


4. Probabilistic analysis of the SVS algorithm 

In this section we determine the average-case complexity of the SVS algorithm. 
This analysis relies on the probability distribution of the number of searches per¬ 
formed, which is the subject of the next section. 
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4.1. Probability distribution of the number of searches. Similarly to Section 
[2j for s > 3 we denote 

F s := {(ai,... ,a s ) £ F g r_1 x • • • x F 9 r_1 : a, ± aj for i ± j}, N s := |F S |, 

and consider the random variable C s := C s ^ td '■ F s x P r ^ d — > {1, ..., s, oo} defined 
for a := (ai,..., a s ) £ F s and F £ P r ,d in the following way: 


C s (a,F) 


min{j : N 1 ^ d {F{a j ,X r )) > 0} if 3 j with N 1}d (F(a,j, X r )) > 0, 
oo otherwise. 


We consider the set F s x P r ^ d as before endowed with the uniform probability 
P s := P St r,d and analyze the probability P S [C S = s]. To link the probability spaces 
determined by F 6 x fF r ,d and P s for 1 < s < q r ~ x , we have the following result. 

Lemma 4.1. Let s > 1 and let n s : F s x P r .d —> F s ^i x P r , d be the mapping induced 
by the projection F s — > F s _i on the first s — 1 coordinates. If S C F s _i x T r d , then 
P s [tt 7 \S)] = P s . 1 [S]. 


Proof. Note that 


7 r s 1 (5)= (J {{a 1 ,...,a s )€F s :(a 1 ,...,a s - 1 ,F)&S}x{F} 

F£F r ,d 

= U U {(ai, ..., a s _i)} x (F 9 ’ _1 \ {ai,..., a s _i}) x {F}. 

FeFr,d (oi,...,o s _i)£F,_i: 

(ai,...,a s _i,F)£S 


It follows that 


PsK\S)] = 


1 


NJTr. 


E E (9 r " 1 -« + l) 


’ F6Fr,ja£ F s _i:(o,F)e5 


W-l|^V,d| 


E! F s _i : (d, F) £ iS}| — P s _i[5]. 


FeF r 


This proves the lemma. 


□ 


According to the Kolmogorov extension theorem (see, e.g., P2] Chapter IV, 
Section 5, Extension Theorem]), the conditions of “consistency” of Lemma 14.11 
imply that the probabilities P s (1 < s < q r ~ x ) can be put in a unified framework. 
More precisely, we define F := F c/ r-i and P := P qr -i. Then the probability measure 
P dehned on F allows us to interpret consistently all the results of this paper. In the 
same vein, the variables C s (1 < s < can be naturally extended to a random 

variable C : F x P T _ d aNU {oo}. Consequently, we shall drop the subscript s from 
the notations P s and C s in what follows. 

For the analysis of the probability distribution of the number of searches we 
express the probability P[C = s] in terms of probabilities concerning the random 
variables C a := C a ^ r ^ d : T r j —> N, a £ F s , which count the number of vertical 
strips that are searched when the choice for the first s vertical strips is a. As the 
result can be proved following the proof of Lemma 12.31 mutatis mutandis , we state 
it without proof. 

Lemma 4.2. We have 

P ^ G = S 1 = W E PrACa = a]. 

5 a£F, 

In Theorem 13.101 we determine the asymptotic behavior of p r , d [C a = s] for a £ 
F S \B S , where B s C F s is the set of (13.51) . By (13.41) it follows that |B S | = C , (g s C- 1 )- 1 ) ; 
where the 0-constant depends on s, d and r, but is independent of q. Now, to 
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estimate the probability P\C = s], Lemma [ 1.21 implies 

P[C = a] = ^- J2 PrA C CL = s\ + ^-^P r ,d{Ca = s] 

s a6F,\B, s 

= Jj- Yh Pr,d[Ca = s] + (D(q 1 ). 

S a6F s \B, 

As a consequence, from Theorem 13.101 we deduce the following result. 
Theorem 4.3. For s < 1 ), we have 

P[C = s\ = (l-p d ) s - 1 pd + 0(q- 1 ). 

On the other hand, if p > 2 and s < ( then 

P[C = s] = (1 - Pdf-Ad + 0(g” 1/2 ). 


4.2. Average—case complexity. Now we are ready to determine the average-case 
complexity of the SVS algorithm. 

Recall that, given F G F r ,d, the SVS algorithm successively generates a sequence 
a := (ai, a, 2 , ■ ■ ■, a q r-i ) G F ? r-i, and searches for F ? -rational zeros of F in the 
vertical strips {oq} x F g for 1 < * < q r ~ 1 , until a zero of F is found or all the vertical 
strips are exhausted. As discussed in Section [TJ the whole procedure requires at 
most CgfF) ■ r(d,r,q) arithmetic operations in F 9 , where r(d,r,q) := 0~(D + 
d log 2 q) is the maximum number of arithmetic operations in F g necessary to perform 
a search in an arbitrary vertical strip. 

The SVS algorithm has a probabilistic routine which searches for F g -rational 
zeros of elements of F\ td , which relies on r d random choices of elements of F g , 
for certain r d G N. We denote by fl d := the set of all such random choices 
and consider fl d endowed with the uniform probability, F x F r ,d with the (uniform) 
probabilityP of Section^ and F x T r . d x fl d with the product probability. Therefore, 
the cost of the SVS algorithm is represented by the random variable X := X r , d '■ 
F x T Ti d x fid > N>o which counts the number X(a,F,u>) of arithmetic operations 
performed on input F G P r ,d- with the choice of vertical strips defined by a and 
the choice w for the parameters of the routine for univariate root finding. 

We aim to determine the asymptotic behavior of the expected value of X , namely 


E[X) 


1 

|F||P r , d ||n d | 


Y X(a,F,oj)< 

(a,F,oj) 


T(d, r, q) 

|F||Pr,d| 


E E c <aT). 

FGJ’r.d a£F 


We first study the case r > 2, for which we have the following result. 

Theorem 4.4. Let r > 2 and s* := ( d / 2 +^ — ^ Then the average-case complexity 
of the SVS algorithm is bounded in the following way: 

(4.1) E[X] < r(d, r, q) (pA + d( 1 - d~Y) + 0(<T 1/2 ), 

where r{d , r, q) is the cost of the search in a vertical strip. 


Proof. Recall that an element of F r:d is called relatively F g -irreducible if none of its 
irreducible factors over F g is absolutely irreducible. Consider the sets 

A := {F G F r ,d '■ F is relatively F 9 -irreducible}, B := F r . d \ A. 

We have 


(4.2) £ Y C ^F)=YY C ^F)+YY C A,F). 

F£j- rt d F F£Aa £F F£B a £F 

By IS Corollary 6.7], it follows that |A|/|.7> )( f| = 0[q ^ “). Hence, we obtain 


(4.3) 


1 = 


|F||P r , d 


FeA ae F 


\J~ r,d 


) =0{q~ 1 ). 
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Next we study the second term in the right-hand side of dxa . We have 


1 £ = ^ £ £ » ' tag F: f> ~ a)l 


|f||p, 


r.d | 


FeBae F 1 ,,u ' 1 FeB s =1 1 1 

From the conditions of consistency of Lemma 14.11 it follows that 


1 \ ' \ ' _ \B\ v— _j_ \ ' |{a g F 5 : C(a, F ) — s}| 

|F|LF r<I | ^ ^ j _ \T rd \ ^ ' \B\ ^ |FJ 

I M r ’ a l FeBae F 1 r ’ a| s=l 1 1 FeB 1 1 


\B\ 


\?r. 


sPfxb[C = s], 


where Pf x b denotes the uniform probability in F x B. 

For s < s*, Theorem 14.31 allows us to estimate the probability of [C = s]. 
Therefore, we decompose the sum above in the following way: 


5>Pfxb[C=s] =^sP F xB [C = s] + (s* + 1) J2 p fxb[G = s] 

S=1 S= 1 S=S* +1 

q r ~ 1 

+ (s-s* ~l)P FxB [C = s] 

s=s*-\- 2 

s* q r ~ 1 

(4.4) = ^>P fxb[C = s} + (s*+1)P F xb[C > s*+l] +^P F xb[C >s]. 


s=s*+2 


First we estimate the sum Si of the first two terms in the right-hand of i TOb . 
Arguing as in Lemma 14.21 we see that 


Pfxb[C = s] 


1 

K\ 


^2 PB[Ca 
aeF s 


4 


From Theorem 14.31 and Corollary 13. Ill we have 


Si — 1 ~ Pd) S lj rO{q 1 )) + (s* + 1)(1 — Hd) S +0(q *) 

S=1 

S* 

= pd 5 (1 ~ Pd) S + (s* + 1)(1 — Hd) S + 0(q 1 ). 

s=l 

Taking into account that J^ n >i n ~ n_1 = 1/(1 — z) 2 for any \z\ < 1, we obtain 
(4.5) 

Si = --H d V s(l-f, d y- 1 + (s* + l)(l-^+0(q- 1 ) = — +0(q~ 1 ), 
^ d s^F+l » d 

where the last inequality follows from the identity X) s >«*+i sz 11-1 = z s (s* + 1 — 
zs*)/( 1 — z) 2 , which holds for any \z\ < 1 (see, e.g., [17] §2.3]). 

Next, we estimate the second sum S 2 of the right- hand of (14.41) . Observe that 


p B [Ca >s\=pb[F&B : N lid (F(oi,X r )) = 0 (1 < i < s - 1)]. 
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Hence, 


E Tf] E |{f€5:iV M (F(a 1 ,X r )) = 0 (l<K S -l)}| 

s=s *+ 2 s (a.«».)eFs- 1 x ^- 1 


r— 1 9 


< 


< 


E 


i 


E 


l B l 1 - ( S - aCF,.. 


E 


i 


FeB 

Ni, d (F(a it X r ))=0 (l<i<s—1) 


|Fs-i| 


r—1 « 




1^1 s^ + 2« 


FeB 


where = 0] := P Fs _i[{a G F s _i : N lid (F(ai,X r )) =0, 1 < i < s - 1}]. 

As Ni t d = 0 follows an hypergeometric distribution, the probability Pf„_i [Ni t d = 0] 
can be expressed in the following way (see, e.g., EH Chapter 6]): 


We deduce that 


(4.6) 


Pfs-i Wi,d = o] = 


E E(1- 


( q r ~ 1 -NS(F )) 


IP 


(Cl 1 ) 


NS{F) - 1 
q r ~ 1 - 1 


s-l 


s=s*+2 FeB 

Fix F £ B. Then F has at least an absolutely irreducible factor defined over F 9 . 
Hence, for q > d 4 , by [6;, Theorem 5.2] it follows that NS(F) > (1 — a), with 

a := d 2 q~ 1 / 2 . This implies 

Combining this inequality with (EU) we conclude that 


S2< Wl E E ( 1 ^( 1 -«)rf- 1 +0(9 1 - r )) 

I I s=s*+2 FeB 

= £ ( 1-(1 - a ) d - 1 + 0 ( g 1 -’')) s - 1 


s -1 


s=s* +2 


= (1 ^ ^) - + O^) = d( 1 - d~Y +1 + 0(W 1/2 )- 

(1 — a)d 1 

Combining (14.21) . (14.31) and (14.51) with this inequality, we deduce (14.11) . 


□ 


Since s* > d 2 / 4, the term d(l — d 1 ) s +1 tends to zero as d and r grow, and 
therefore the right-hand side of 03 behaves as fid 1 r(d, r, q). We may paraphrase 
this as saying that, on average, at most HdT 1 ~ 1.58 ... vertical strips are searched 
until an F g -rational point of the input polynomial is obtained. For perspective, 
we remark that the probabilistic algorithms of 115] (for bivariate polynomials) and 
[5] and [20] (for r-variate polynomials) propose d searches in order to achieve a 
probability of success greater than 1/2. 

Now we analyze the average-case complexity E[X] for r = 2, that is, 


E[X\ := 


1 

|F||P 2 , d ||^| 


E X(a,F,uj)< 

(a,F,to) 


T (d, r, q) 

|F||p2,d| 


E E^^)- 

FeFr,d aeF 


For a real 0 < a < 1 to be determined, we consider the subsets 


A := {F G F 2 , d : NS(F) < (1 - a)NS( 2, d)}, 
B:={F e P 2 ,d : NS(F) > (1 - a)NS( 2, d)}, 
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where NS(F) is the number of vertical strips on which F has F g -rational zeros, and 
NS( 2, d) is the average number of such vertical strips. We have 


( 4 - 7 ) E E c fe f ) = EE c fe F )+EE c fe f )' 

F F^AafE F FEB aE F 


To estimate the first term of the right-hand of (HID, we start with an estimate 
for |A|. For this purpose, according to Lemma [5.11 and Proposition 15.21 below, the 
mean NS(2,d) and the variance NS2(2,d) of NS(-) have the asymptotic behavior 
NS(2,d) = Hd.q + 0( 1) and NS2(2,d) = ((d\)~ 2 + pu{l — pd))q + 0(l) respectively. 
Then the Chebyshev inequality (see Corollary 15.31 below) implies 


14 < 


1 


(ap d d\) 2 a 2 p d 


——— i g dim -Fz.d-l -)- 0 (g dim Jr 2 ,d- 2 \ 


It follows that 
1 


(4.8) 


|F||^2,d 




F&A ogF 


1 ^2, d 


1 


_ 1 ~ Td 

(ap d d \) 2 a 2 p d 


FOiq- 1 ). 


Next we study the second sum in the right hand side of (14.71) . Arguing as in the 
case r > 2 , for s* := d/2 + 1 we obtain 


IFHJidl ^ - p d + \B\ E E I 1 

I H ^- a l FGBa £F r 1 1 s=s*+2 FeB 


NS(F) - 1 
9-1 


0(q 


-I s ! 


Fix F £ B. By definition NS(F) > (1 — a)NS(2,d) and, according to Lemma l5Jl 
below, we have NS( 2, d) = pd q + 0(1). Hence, we obtain 


Therefore, 


1 - 


NS{F) ~ 1 < 1 - (1 
9-1 “ 


a)^ d + C>(9 1 ). 


1 

W\ 


E E 


s=s*+2 FgB 


NS(F)- I V - 1 < (1 — (1 — a)^d ) s * +1 
9-1 / “ (1 - a)p d 


Oiq- 1 ). 


Combining Ha and (14.81) with this inequality, we conclude that 


E{X\ < r(d,r,,)+ ^ + (' - P - “W") + Ofo -1 )- 
Fixing a* := 1 — l/Vs*, we obtain the following result. 


Theorem 4.5. Let r := 2, s* := d/2 + 1 and a* := 1 — l/\/s*. The average-case 
complexity of the SVS algorithm is bounded in the following way: 


E[X] < r(d,r, 9 )^-^^- 


Pd 


\ 1 

/ „ \ s *+l\ 

+ - + I 

/ Pd 



hd (d\) 2 ti 

where r(d, r, q ) is the cost of the search in a vertical strip. 


‘ 0(q~ ), 


As d grows, the quantity s* tends to infinity and the expression parenthesized 
in E[X] tends to (2 — p d )/pd ~ 2.16 ... This is an upper bound for the number of 
vertical strips that are searched on average for r = 2 . 


5. On the probability distribution of the outputs 

This section is devoted to the analysis of the probability distribution of the 
outputs of the SVS algorithm. For this purpose, following [3] (see also |j), we use 
the concept of Shannon entropy. For F £ (F r , d , denote Z{F) := {x £ : F(x) = 

0} and N(F) := \Z(F)\. We define a Shannon entropy Ftp associated with F as 

(5.1) H F := Y, ~d J x,F (og(P X: F), 

xPZ(F) 

where P x ,f is the probability that the SVS algorithm outputs x on input F and log 
denotes the natural logarithm. It is well-known that Hp < log N(F), and equality 
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holds if and only if P x f = 1/N(F) for every x £ Z(F). We shall consider the 
average entropy when F runs through all the elements of F r ,d, namely 

(5 ' 2) 

For an “ideal” algorithm for the search of F g rational zeros of elements of F r . d , 
from the point of view of the probability distribution of outputs, and F £ F r ,<U the 
probability I ? 1 that a given x £ Z(F) occurs as output is equal to 1/N(F). As 
a consequence, according to the definition ED, the corresponding entropy is 

^ deal := ^ -^ d F al log(Pi d F al ) = E l ^^l = \og N(F). 

By the concavity of the function x K > log x and ED, we conclude that 

(5.3) jjideal < tog f ^ = log^" 1 ), 

l^.dl F ^ rd v ™ J 

where the last identity is due to ED- In our analysis below, we shall exhibit a 
lower bound on the average entropy H which nearly matches this upper bound. 


5.1. On the number of vertical strips. A critical point in the study of the 
behavior of H is the analysis of the probability distribution of the random variable 
NS : F r ,d —> Z>o which counts the number of vertical strips with F g -rational zeros 
of the elements of F r ,d- 

Recall that VS(F) denotes the set of vertical strips where each F £ F r ,d has 
F g -rational zeros and NS(F ) is its cardinality, that is, 

VS(F) := {a £ F ^" 1 : (3x r £ F g ) F(a,x r ) = 0}, NS{F) := |WS(F)|. 

We start considering the average number of vertical strips in F r ,d, namely 

NS(r,d):=-^~ NS ( F )- 

1 r ’ d1 F£F r , d 

According to (12.11) . we have NS(r, d ) = q r ~ 1 P[C = 1]. Therefore, as an immediate 
consequence of Theorem 12.II and Corollary 12.21 we have the following result. 

Lemma 5.1. The number NS(r,d) satisfies 

NS(r, d) = ^(-l)*- 1 Q q r ~ 1 ~ k + (-l) d 

= H d q r - 1 + 0(q r ~ 2 ). 



Next we determine the variance -/VS^r, d) 

1 

", d 








NS 2 (r,d ):=£ (NS(F)-NS(r,d)) 2 = -^~ £ NS(F) 2 -NS(r,d) 2 . 
I r ’ d ' FFT r ,d ' r,d ' FeTr.d 

Proposition 5.2. The variance NS 2 (r,d) satisfies 

NS 2 (r , d) = ^q 2r - 3 + Ml - M q r ~ 1 + o( q 2r ~ A ). 

Proof. Recall the notations F 2 := (F ” -1 ) 2 \ {(a, a) : a £ F^” 1 } and N 2 := |F 2 |. Fix 
F £ T r d- We have 


NS(F) 2 


(J {(ai,a 2 ) e (F 9 r ^ : F(a 1 ,x) = F(a 2 ,y) = 0} 
x,ye¥q 
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Then the inclusion-exclusion principle implies 

£ «s(d 2 = £ ££(-i) J,+ *£ £ s «.a) 

F^Tr^d FEF’ r> d j=l fe=l 

= ££(- 1 >' + * £ £ £ Ws.jw, 

j = l fc=l iVfcCl^ F^Fr^d 

where <Tj and 34 run through all the subsets of F g of cardinality j and k, respectively, 
and, for arbitrary subsets X C F g and 3^CF ?1 

SO*, 30 := |{(ai,a 2 ) G (FJ ’ -1 ) 2 : (Vx € X)(\/x G y)F(oi,x) = 0,F(a 2 ,i/) = 0}|. 
For a := (ai, a 2 ) G (FJ --1 ) 2 and subsets T C F g and 3^ C F g , denote 

5„(^,y) := G F r .d : (V* G X)(Vx G 3>)*’(ai > z) = 0 ,F(a 2 , 2 /) = 0}. 

It follows that 


E ^(^) 2 = EE(- 1 ) j+fc E E E 

F^Fr.d J=1 fe=l AfjCF, y fc CF, ae(F 9 r_1 ) 2 

= £ ££(-D i+ * £ £ fe«,A)i=: £ jv.,2, 

a£(I^ r— X ) 2 ■? — ^ ^=1 Xj CFf yk ae(I^ r— X ) 2 

where A4 . 2 is defined as in (12.61) . If a G F 2 , then the claim in the proof of Propo¬ 
sition 12.41 asserts that 

On the other hand, for (a, a) G (F g ’ _1 ) 2 \ F 2 , by elementary calculations we see that 

*(-»),2 :=EE(-D j+fc E E i«5(a,a)(^-,y fc )i = E(- 1 ) i-1 E i*s«(**)i, 

j=l fc=l XjC% 34CF, 3 = 1 XjC% 

where S a (Z) := {F G T r ,d ■ (Vz G Z) F(a, z) = 0} for any subset Z C F g . Thus, 

1 £ NS(Ff = £ £ £(-1 y-' £ IS,(*i)l 


| Fr, 


F 6 £, 


Tt \Fr,d\ r.d 

_ zf~2 

= N 2 ^(q 1 ~ r NS(r,d)) 2 + 9-1 ( q ~ X 


q 2d + 2 V d 


Xj CF g 
2 \ 


E 

F6F. 


NS(F) 
\FrA ‘ 


The statement of the proposition follows easily from Lemma 1-5. II 


□ 


By the Chebyshev inequality we obtain a lower bound on the number of F G F r ,d 
for which NS(F ) differs a certain proportion from the expected value NS(r,d). 

Corollary 5.3. For 0 < a < 1, the number A(a) of F G F r ,d for which NS(F) < 
(1 — a)NS(r,d) is bounded as 


A(a) < 


1 dim.FV.rf — 1 , J_ 2_ Ifd, 

(a ia d d\) 2 ^ a 2 /id 


-9 


dimr+1 _j_ £)^dim.7>,d —2 


*)• 


Proof. By Lemma 15.II and Proposition 15.21 the Chebyshev inequality implies 

NS 2 (r,d) 


Pr,d (| NS{F) - NS{r , d )| > aNS(r, d)) < 


a 2 NS(r, d) 2 ‘ 


Taking into account that 
NS 2 (r,d) 


a 2 NS(r,d) 2 (ap d d\) 2 
the corollary readily follows. 


1 -1 i 1 Md l_ r _ 2 \ 

q + _ 9 ,, q +0{q ), 


a 2 /id 


□ 
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5.2. A lower bound for the entropy. In order to analyze the Shannon entropy 
(15.211 . it is necessary to determine the probability P x ,f that an element x := (a, x) £ 
F g r occurs as output on input F £ F r ,d- 

Given an input polynomial F £ F r .d, and the vertical strip defined by an ele¬ 
ment a £ F ? r_1 , the SVS algorithm proceeds to search for F g -rational zeros of the 
univariate polynomial / := gcd (F(a,T),T 9 — T). If this search is done using the 
randomized algorithm of Cantor and Zassenhaus (see 13 ), then all the F ? x -rational 
zeros of / are equiprobable (see, e.g., [14] Section 14.3]). The algorithm can be 
easily modified so that all F ? -rational zeros of / are equiprobable. In the sequel we 
shall assume that the search of roots in F 9 of elements of F\^d is performed using a 
randomized algorithm for which all outputs are equiprobable. 

For the analysis of the distribution of outputs, we denote as before by f Id '■= Ff d 
the set of all possible random choices of elements of F g made by the routine for 
univariate root finding. We consider f Id to be endowed with the uniform probability, 
F x F r ,d with the probability measure P of Section 01 and F x ^ x fid with the 
product probability P x Pn d . Finally, we shall consider probabilities related to the 
random variable Gout : F x F r .d x fid —» F g r U {0} defined in the following way: 
for a triple (a, F, 7 ) £ F x F r d x fid, if F has an F g -rational zero on any of the 
vertical strips defined by a , and aj is the first vertical strip with this property, 
then G ou t(o, F, 7 ) := ( aj,x ), where x £ F g is the zero of F{aj,T ) computed by 
the root-finding routine determined by the random choice 7. Otherwise, we define 
Gout (a, F, 7) := 0. In these terms, the probability P x ,f that an element x := 
(a, x) £ Ff occurs as output on input F £ T ti ) may be expressed as the conditional 
probability P x Pn d [C ou t = x\F\, namely 


P x ,f = P x Pn d [Gout = x\F] := 


P x P Qd [{G out = x} n (F x {F} x fl d )] 
P x P Qd [F x {F} x fi d ] 


Now we are ready to determine P x ,f- For this purpose, we denote by N a (F) the 
number of F g -rational zeros of F in the vertical strip defined by a, i.e., 


N a (F) := |{rc £ F ? : F(a,x) = 0}|. 


We have the following result. 


Lemma 5.4. Let F £ T r .d and x := ( a,x ) £ Z(F). Then 


NS(F) N a (F)' 

Proof. If x occurs as output at the jth step, then the SVS algorithm must have 
chosen elements a \,..., ay-i for the first j — 1 searches such that N ak (F) = 0 for 
1 < k < j — 1, and the element a for the jth search. Finally, the routine for finding 
roots of F(a,T) must output x, which occurs with probability l/N a (F). 

Recall that the element a,j £ Fj "” 1 for the jth search is randomly chosen among 
the elements of FJ ’ -1 \ {ai,..., aj_ 1 } with equiprobability. Therefore, if a arises 
as the choice for the jth step, then the SVS algorithm must have chosen pairwise- 
distinct elements a \,..., Oj_i £ F ? r_1 \ NS(F) for the first j — 1 searches. The 
probability of these choices is 


i -2 


P(N ai (F) = 0,..., N a (F) = 0, dj = a\F) = [] ( 1 - 


k=0 


q'~ x — k 


q r ~ x - j 


1 r 1 -- 7 ^) 
r - 1 r^r 1 ) ' 

As there are q r ~ 1 — NS(F ) elements b £ Fj 1-1 with Nb(F) = 0, the algorithm 
performs at most q r ~ 1 — NS(F) + 1 searches. Finally, when a is chosen, the 
probability to find x as the F g -rational zero of F(a,T) is equal to 1 /N a (F). It 
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follows that 


q r - 1 -NS(F) + l 


Px,F = 


E P (N a AF) = 0,.. . ,N a ._ 1 (F) = 0, a,j = a\F ) 


3 =1 


1 


iVa(F) 


q r ~ 1 N a (F) 


q r ~ 1 -NS(F) fq r - 1 -NS(F)^ 

E («'-;-■) 


j=0 v J 

According to, e.g., tm §5.2, Problem 1], 

q r - 1 -NS(F) (q r ~ 1 -I 


~r— 1 


^ r-f s(F) ) «■ 

h r; -1 ) 


i 




i 


We conclude that 

Px ’ F = q r ~ 1 N a (F) NS(F) % NS(F) N a (F)' 
This completes the proof of the lemma. 


□ 


(5.4) 


For any F £ F r ,d, consider the entropy 

log ( NS(F)N a (F )) 


h f = E 


NS{F) N a (F) 


(a,x)EZ(F) 

We aim to determine the asymptotic behavior of the average entropy 


1 


E E 


log (NS(F)N a (F)) 


H ' \F rd \ E Hp ij- I Z^ Z^ NS(F)NJF) 

1 ’ ' FEFr.d 1 ’ 1 FEF r ,d {a,x)EZ(F) \ J a\ J 


Observe that 

(5.5) E E 1= E \{P ^ F r ,d '■ F(a,x) = 0}| = q dimF r,d+r-i 

( a,x r )€Z(F ) (a,x)£W F 

Further, the function h : (0, +oo) —> K., h(x) := logx/x is increasing in the interval 
[e, Too) and convex in the interval [e 3 / 2 , Too). By Corollary 15.31 the probability of 
the set of F £ F r , d having up to e 3 / 2 = 4.48 ... vertical strips is 0{q~ 1 ). Therefore, 


H = 


E E 1 E E 

FEF Tt d (a,x)EZ(F) FEF r r i (o ,x)EZ(F) 


\og(NS(F)N a ,(F)) 
NS(F) N a (F) 


\Fr, 


d\ 


(5.6) 


>q 


r ~ l h 


E E i 

(a,x)EZ(F) 

( E E NS(F)N a (F)\ 

FGFr^d (a,x)£Z(F) 


. E E 1 

\ F £Fr,d (a,x)£Z(F) 

Next we analyze the numerator 


(it oar 1 )). 


/ 


*■= E E NS(F) N a (F) 

FGF r ,d (a,x)£Z(F) 

in the argument of h in the last expression. 

Lemma 5.5. We have AT = 2 qi d q 2r ~ 2 + dlm:F r,d t 0(<7 -1 ))- 
Proof. For F £ T rd and a £ VS(F), we have 


NS(F) = 


IJ {a S F g r 1 : F{a,x) = 0} 




N a (F) = \{x€¥ q :F(a,x)=0}\. 
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As a consequence, 


Ar = E E E U{fo e f ;- 1 : f(M) = 0 } 

F^iJ 7 r t d (a,x)£Fq y€F q ZSLFq 
F(a,x)—0 F(a,y)=0 

= E E E EE 1 )* -1 E |{bGF;- 1 :F( 6 ,r)U fc = 0 }| 

(a^GF^ yGF, fc= 1 -ZfcCF, 

F(a,x)=0 F ( a ,y)=0 \Z k \=k 

= E(-D fe - 1 E EE E 

fc=l aGF^ -1 “GF, yGF, 2 fcC F, 

|2 fc |=fe 


where 

N a ,x,y,Z k '■= El 


|{beK r - 1 :F(&,T)| 2fc =0}| 


FGJr.d 

F(a,x)=F(a,y)=0 

= E |{fe^:f(a^)=0,f(a,i/) = 0,F(6,T)U l EO}|. 

bGFT -1 

Suppose that k < d. For b ^ a and x / y, the equalities F(a, x) = 0, F(a, y) = 
0, F(b, T)^*, = 0 are linearly-independent conditions on the coefficients of F. If 
b ^ a and x = y, then we have k + 1 linearly-independent conditions. Finally, for 
b = a, the number of linearly-independent conditions depends on the size of the 
intersection {x, y} D Z k . It follows that 

A/”o x y Z — ( q r ~ l — 1) q dimF r,d-k- \{x,y}\ ^dim.F,.,, 1 -min{<i+l,|{x,i/}U.Z fc |} 

Therefore, by elementary calculations we obtain 


E E E = (? r_1 -!) 


xGF, j/GF, Z k CM, 
\Z h \=k 


Q k ) q^r.a-k ( ?_1 + £)(! + 0(y 1 " 1 ')) 


~ “(9 r_1 — 1) 




(l + Ote 1 - 1 -)). 


Now assume that k > d. Then the condition F(b,T)\z k = 0 is equivalent to 
F(b,T) = 0. Arguing as above, we deduce that 

EE E a= ^(r 1 -i)(E" m ^- (d+l) (idot? 1 -)). 


xGFg y GF, Z k CW Q 
\Z k \=k 


Putting these equalities together and using (ES, we obtain 


U = 2 y 2r-2+dim ~ Fr ’ d —F— (1 - q 1 ~ r ) 


2q 




E(-d 


k -i(Q\ q -d-i 


E ( -d 

' fc—1 v 7 /c—cZ+l 

=2 W y 2 ’'- 2+dim ^^(l + 0(y- 1 )). 

This finishes the proof of the lemma. 

Combining (15.61) with (15.51) and Lemma 1531 it follows that 

'2 H d g 2r-2+dimX' r , d( ' 1 + 1)) 


(1 + 0(q^)) 


□ 


H > q r ~ L h , , r 

— ^ 1 +dim F ry d 

In other words, we have the following result. 


a + Oiq- 1 )). 
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Theorem 5.6. If H denotes the average entropy of the SVS algorithm, then 

H > ^-\ 0 gW~ 1 ){l +O^q- 1 )). 

Recall that, according to (15.3D . for an algorithm for which the outputs are equidis- 
tributed we have the upper bound H < log(<? r_1 ). For large d we have 

2 Vd ~ 2(1 -e-i) ~ °- 79 ‘ 

We may therefore paraphrase Theorem 15.61 as saying that the SVS algorithm is at 
least 79 per cent as good as any “ideal” algorithm. 

6 . Simulations on test examples 

We end the paper with a description of the results on the number of searches 
that were obtained by executing the SVS algorithm on random samples of elements 
T r ,di for given values of q, r and d. Recall that C : F x i-a N U {oo} denotes 
the random variable which counts the number of searches that are performed for 
all possible choices of vertical strips. Theorem 14.31 shows that 

P[C = s] « (1 - Md) s_ W 

The simulations we exhibit were aimed to test whether the right-hand side of the 
previous expression approximates the left hand side on the examples considered. 
For a random sample S C T r ,d and a £ F s , we use the following notations: 

Pa ■= Pr,d[S n Ca = s], p s ~ (1 - PdY ~ 1 Pd- 
We take N := 30 choices of a £ F s , and compute the sample mean 

N 

— \ ' P°Li 

Ps : = 2 ^Yv- 
2=1 

Furthermore, we consider the corresponding relative errors: 

„ . \Ps-Ps\ 

€-S •— ^ 

Ps 

Finally, we compare the average number Nf d of vertical strips searched with its 
theoretical upper bound according to Theorem 14.41 namely 1 //id- 

We consider only relatively moderate values of s, since for higher values the 
probability p a is so small that the corresponding information becomes uninteresting. 
This also explains the fact that relative errors e s tend to grow as s grows. Finally, 
we remark that, although polynomials without F g -rational zeros occur in some of 
the experiments described below, the number of such polynomial is so small that 
it does not affect the average behavior of our simulations. 

6.1. Examples with r := 2 and q := 67 and q := 8 . In this section we consider 
random samples of bivariate polynomials with coefficients in the finite field F 67 . In 
Table [l] we consider a random sample S of 1000000 polynomials of F 6 7 [Xi,V 2 ] of 
degree at most d := 30 and analyze how many vertical strips are searched on this 

sample. Therefore, we have p s := (1 — ^ 3 o) s_1 M 30 , where /130 := 0.6321205588_ 

Further, we have N®J 30 = 1.5 7 4 9 24 ..., to be compared with I ///30 = 1.581977_ 

Our second example concerns a sample 1000000 polynomials of F 6 7 [Wi, Xf\ of 

degree at most d := 5. We have p s := (1 — /X 5 ) s_ 1 ^ 5 , where /r 5 := 0.6333333_ 

The corresponding results are summarized in Table [2] We observe that = 
1.572816 ..., to be compared with I /115 = 1.578947 .... 

We end this section by considering polynomials with coefficients in a non-prime 

field, namely F 8 [Xi, X 2 ]- In this case, p s := (1—/T 3 ) s_ V 3 , where /13 := 0.666666_ 

In Table [3] the results for a sample of 100000 polynomials of degree at most d := 3 
are exhibited. We have 3 = 1.504512 ..., to be compared with I//Z 3 = 1.5. 
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Table 1. Random sample with q = 67, r = 2 and d = 30. 


s 

Ps 

Ps 

e s 

1 

0.635031 

0.632121 

0.004583 

2 

0.231664 

0.232544 

0.003799 

3 

0.084627 

0.085548 

0.010889 

4 

0.030921 

0.031471 

0.017789 

5 

0.011279 

0.011578 

0.026473 

6 

0.004101 

0.004259 

0.038575 

7 

0.001509 

0.001567 

0.038166 

8 

0.000553 

0.000576 

0.042349 

9 

0.000199 

0.000212 

0.067918 

10 

0.000076 

0.000078 

0.030513 

11 

0.000025 

0.000029 

0.161872 

12 

0.000010 

0.000011 

0.038441 

13 

0.000038 

0.000003 

0.022074 

14 

0.000011 

0.000001 

0.339501 

15 

0.000001 

0.000001 

0.051253 


Table 2. Random sample with q = 67, r = 2 and d = 5. 


s 

Ps 

Ps 

e s 

1 

0.635885 

0.633333 

0.004012 

2 

0.231459 

0.232222 

0.003298 

3 

0.084318 

0.085148 

0.009844 

4 

0.030727 

0.031221 

0.016085 

5 

0.011188 

0.011448 

0.023224 

6 

0.004091 

0.004197 

0.025996 

7 

0.001481 

0.001539 

0.039029 

8 

0.000543 

0.000564 

0.040109 

9 

0.000195 

0.000207 

0.056976 

10 

0.000069 

0.000076 

0.085938 

11 

0.000029 

0.000028 

0.030685 

12 

0.000009 

0.000010 

0.129198 

13 

0.000003 

0.000003 

0.133380 

14 

0.000002 

0.000001 

0.085740 

15 

0.000001 

0.000001 

0.057169 


Table 3. Random sample with q = 8, r = 3 and d = 3. 


s 

Ps 

Ps 

e s 

1 

0.663161 

0.666666 

0.005259 

2 

0.222801 

0.222222 

0.002605 

3 

0.075617 

0.074074 

0.014151 

4 

0.025319 

0.024691 

0.020831 

5 

0.008725 

0.008230 

0.060146 

6 

0.002859 

0.002743 

0.042289 


6.2. Examples with r := 3 and q := 11 and q := 67. Finally, we consider 
two samples of 1000000 polynomials of W q [X\, X2, X-$\. The first sample contains 
polynomials of degree at most d := 5 with coefficients in Fn, while the second one 
contains polynomials of degree at most d := 5 with coefficients in F 67 . Results are 
exhibited in Tables [I] and [5] respectively. The average numbers of searched vertical 
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strips are N 35 = 1.539646 ... and N® 7 5 = 1.572975 ..., both to be compared with 
I//X5 = 1.578947.... 


Table 4. Random sample with q = 11, r = 3 and d = 5. 


s 

Ps 

Ps 

e s 

1 

0.649494 

0.633333 

0.024881 

2 

0.227637 

0.232222 

0.020145 

3 

0.079769 

0.085148 

0.067430 

4 

0.027999 

0.031221 

0.115075 

5 

0.009822 

0.011448 

0.165519 

6 

0.003419 

0.004198 

0.227683 

7 

0.001213 

0.001539 

0.269344 

8 

0.000421 

0.000564 

0.340555 

9 

0.000149 

0.000207 

0.382851 

10 

0.000050 

0.000076 

0.504379 

11 

0.000017 

0.000028 

0.662509 

12 

0.000002 

0.000010 

0.500062 

13 

0.000002 

0.000004 

0.726225 

14 

0.000001 

0.000001 

0.523767 

15 

0.000000 

0.000001 

2.017058 


Table 5. Random sample with q = 67, r = 3 and d = 5. 


s 

Ps 

Ps 

e s 

1 

0.635802 

0.633333 

0.003883 

2 

0.231571 

0.232222 

0.002810 

3 

0.084285 

0.085148 

0.010237 

4 

0.030732 

0.031221 

0.015898 

5 

0.011192 

0.011447 

0.022809 

6 

0.004081 

0.004197 

0.028645 

7 

0.001482 

0.001539 

0.038865 

8 

0.000541 

0.000564 

0.042865 

9 

0.000199 

0.000207 

0.039628 

10 

0.000071 

0.000076 

0.062618 

11 

0.000027 

0.000028 

0.017780 

12 

0.000010 

0.000010 

0.003320 

13 

0.000003 

0.000004 

0.078891 

14 

0.000001 

0.000001 

0.111938 

15 

0.000000 

0.000001 

0.257107 


Summarizing, the results of Tables [1] [5] show that the behavior predicted by the 
asymptotic estimates of Theorems 14.31 and 14.41 is also appreciated in the numerical 
experiments we perform. Nevertheless, as the cost of the SVS algorithm grows 
exponentially with the number r of variables under consideration, our experiments 
only considered the cases r = 2 and r = 3. 
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